Ansible is leveraged in order to help get the core services up and running on the required servers. These servers and services will be maintained with Ansible.
For newly provisioned servers there is a level of setup that needs to be done before these servers will be able to be targeted with the Ansible roles defined.
The public ssh key for the user running the Ansible playbooks needs to be present on the remote server in order for the playbook to successfully start and run. Generally a user account and password is given for the newly provisioned server that will have super user access, or alternatively the root password will be provided.
Once the key is uploaded to the server using the remote account Ansible will be able to SSH to that server without providing a password, since password-less certificate based authentication is being leveraged.
Specific playbooks have been written to setup these servers to get them into a standardized state that will allow the subsiquint playbooks to be executed in the manner in which they where intended. These initial playbooks are designed to setup the initial user accounts and change the behaviour of SSH, namely disallowing remote root access and only allowing password-less certificate based authentication.
There are the following environments to choose from when running the script.
Within each of these environments, you can choose the following host groups
sudo su - admin
ssh-copy-id root@<server ip/fqdn>
Now go to the new server and changes its password
sudo passwd root
Also make sure that the DNS servers to be used are accessible
vi /etc/resolv.conf
nameserver 8.8.8.8
nameserver 8.8.4.4
#nameserver 1xx.1xx.1xx.x
#nameserver 1xx.1xx.1xx.x
cd /home/admin/ansible
vim environments/setup/hosts
cd ansible
ansible-playbook -i environments/setup/hosts update_admin_key.yml
# The next updates all the packages. It is an optional step and isn't enforced, however it is always recommended to be running the latest patch level on a server. Unless there is a very specific reason this step is highly recommended.
ansible-playbook -i environments/setup/hosts update_host_software.yml
fatal: [192.10.10.3]: FAILED! => {"changed": true, "cmd": ["rpm", "--import", "https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux"], "delta": "0:00:00.782032", "end": "2025-03-19 11:53:21.356508", "msg": "non-zero return code", "rc": 1, "start": "2025-03-19 11:53:20.574476", "stderr": "warning: Signature not supported. Hash algorithm SHA1 not available.\nerror: https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux: key 1 import failed.", "stderr_lines": ["warning: Signature not supported. Hash algorithm SHA1 not available.", "error: https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux: key 1 import failed."], "stdout": "", "stdout_lines": []}
Do the following, you will need to manually ssh to each new server.
rpm --import https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux
dnf update ca-certificates
If you get an error 'Hash algorithm SHA1 not available' then re-activate it using the following
sudo update-crypto-policies --set DEFAULT:SHA1
sudo reboot
Once this completes you can re-run step 5.
./playbook.sh <environment> basics <hosts in the environment> -e "restart_service=true clean_temp=false reboot=false"
7.1. Download from GIThub ( not working )
git clone https://github.com/ansible-lockdown/RHEL8-CIS.git
7.2. Install the collections needed in requirements.yml ( not working )
ansible-galaxy collection install community.general
ansible-galaxy collection install ansible.posix
ansible-galaxy collection install community.crypto
7.3 Run the playbook ( not working )
ansible-playbook -i hosts-setup rhel-cis/RHEL8-CIS/site.yml
This will run the "basic" Ansible role against a single host named "servername.domain.co.za" found under the prod environment.
sudo su - admin
cd ansible
./playbook.sh <environment> <role> <servergroup>
This will run the "basic" Ansible role against the host group labelled "test" found under the prod environment.
sudo su - admin
cd ansible
./playbook.sh prod basics test
With this method the script will accept an additional parameter for defining the state of environment variables at runtime. These values have the ability to override the ones set in the role and thus can be leveraged to do more advanced tasks that generally aren't wanted/expected during normal playbook execution. Each role will have it's
sudo su - admin
cd ansible
./playbook.sh prod basics test -e "restart_service=true clean_temp=false"
To access the roles that contain the various playbooks.
sudo su - admin
cd ansible/roles
| Name | Function | Tag options |
|---|---|---|
| BASICS | Basic initial server configuration. | restart_service=true (Restarts the services after running) clean_temp=false Clears the /tmp/ dir) |
| COUCHDB | Installs Couchdb Setup. Currently 3.3.1 | -e "couchdb_clustered=true administrator_password=xxx jwt_key=<jwt_key here> admins_lucene_password=xxx" |
| COUCHDB_OPTIMIZE | Set up the optimisation parameters and file limits | ??? |
| ELASTIC | Installs Elastic stack | -e "elastic_setup=true elastic_set_passwords=true" when setting up a new instance. -e "elastic_upgrade_latest=true" when you want to run the upgrade after all the preparations for upgrade has been done |
| KIBANA | Installs Kibana | -e "kibana_set_passwords=true kibana_setup=true KIBANA_ELASTIC_password=xxxxxxxx" when setting up a new instance. -e= "kibana_upgrade_latest=true" when you want to run the upgrade after all the preparations for upgrade has been done |
| MYSQL | Installs MySQL version 5.7.30 | -e "mysql_harden=true mysql_setup=true" Note if there is an issue that the server does not want to start, make sure that selinux is set to permissive mode (selinux) |
| NGINX | Installs Nginx | -e "nginx_setup=true" |
| NODEJS | Installs node js and the core betterdata application | ??? |
| REDIS | Installs Redis | ?? |
| RHEL-CIS | Not sure | ??? |
ansible -m command -a "sudo firewall-cmd --permanent --add-rich-rule='rule family=""ipv4"" source address=""105.233.67.134/32"" port protocol=""tcp"" port=""5984"" accept'" cluster
ansible -m command -a "sudo firewall-cmd --reload" cluster
ansible -m command -a "sudo firewall-cmd --zone=trusted --add-source=41.76.208.248/32 --permanent" cluster
ansible -m command -a "sudo firewall-cmd --reload" cluster
Appserver: Redis, Mysql, Node, exist-db
kwantu02 197.242.147.53
Nginx:
kwantu00 154.0.170.230
DBCluster
User write: kwantu00 154.0.170.230
Read lucene: kwantu03 154.0.170.247
Node Services: kwantu05 154.0.174.153
Reports: existdb, kibana, elastic
kwantu06 154.0.175.164
Staging Server:
kwantu04 154.0.174.125
10.155.78.115